Season 3 / Episode 40
In its prime, Mt. Gox was essentially the place where Bitcoin happened. But for two years, Mt. Gox was imploding from the inside - while soaring to unprecedented success on the outside.
NOTE: Our first Listener Survey is Up! Please support the show by telling us more about yourselves, and get a special extra bonus episodes in return :-) Thanks, Ran.
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
- Episode 139
- Episode 140
- Episode 141
- Episode 142
- Episode 143
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 12 million downloads as of Oct. 2018.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Bitcoin / blockchain investor, Digital currency evangelist. London, Greater London, United Kingdom
Mt. Gox Part I
February, 2014. At the foot of a tall office building in the Shibuya district of Tokyo, Japan, there is a storefront.
Behind these tall glass doors is a project under construction, headed by a company just a few floors above. The store, yet to be opened, will be called “Bitcoin Cafe”. It’s being designed with an eye for style–inspired by French bistros, with programmed ceiling lights that will glow purple, orange and green. Located not far from Tokyo’s largest train hub, Bitcoin Cafe will be a hub for forward-minded, tech-savvy Tokyo citizens. You can stop by for a drink–coffee, maybe a glass of wine–and all payments will be made entirely in Bitcoin. The store’s owner, in fact, is the one who personally hacked the registers to have them take Bitcoin instead of Yen.
One million dollars have already been spent on making this the cafe of the future. But you wouldn’t otherwise know it just by walking by. After all these months of preparation, there’s little about Bitcoin Cafe that would catch your eye. Its doors are locked, its window shades closed. There’s nothing, really, that would indicate that this is Bitcoin Cafe in the first place, or really any kind of shop at all. You’ll have to look very, very close to see the word “Cafe” printed on the sign out front, because it’s masked in plastic wrapping.
Bitcoin Cafe was a really exciting idea. But we’re in 2019 now, and it didn’t ever open. It never will. Why? Well, there are a few reasons. Foremost among them: the company that owned Bitcoin Cafe, and its owner who conceived of and drove the project forward, were in a bit of a pickle in February of 2014.
Hi, I’m Ran Levi, welcome to Malicious Life, in collaboration with Cybereason. In this two-part episode of our show, I’ll be telling you the story of Mt. Gox. Mt. Gox was, for all intents and purposes, the most significant corporation in Bitcoin’s history. So significant that, at its peak, Mt. Gox handled four out of every five Bitcoin transactions. In its prime, Mt. Gox was essentially the place where Bitcoin happened. And being that cryptocurrencies were only five years old at the time, Bitcoin was the cryptocurrency.
So, naturally, it was a problem in February of 2014 when Mt. Gox checked their Bitcoin reserves to find that, of the nearly one million Bitcoin under their domain, they had possession of all of…about zero of it.
Bitcoin Cafe is a sort of metaphor for its parent company: a wonderful, romantic idea which, upon closer inspection, is completely empty. How does the most significant cryptocurrency exchange in the world up and discover it has no money in the bank? Actually, scratch that–how does anyone in possession of hundreds of millions of dollars suddenly lose it all? It’s a complicated matter. I’ll need a couple of podcast episodes to tell it all.
Mark Karpeles loves quiche.
He doesn’t just like quiche, he loves quiche. There are wives who love their husbands less than Mark loves a good quiche. He makes them all the time at home. He’s got his own, special recipes. He talks about them at length, if given the opportunity. Reporters have landed interviews with Mark on the condition that they bring him quiche ingredients from the supermarket. When designing Bitcoin Cafe’s menu–in addition to coffee, beer and wine–he made sure to include a variety of quiche options, featuring his famous apple quiche recipe. That recipe, by the way, takes hours to complete. To help matters, he hired an “independent pastry consultant”, and purchased a $35,000 pastry oven for the kitchen.
In more ways than just quiche, though, Mark is something of an enigma. Famously, in the Spring of 2013, he conducted an entire video interview with Reuters while sitting on a blue exercise ball. He would conduct meetings sitting in his vibrating massage chair. He bought a 3D printer for the company offices, which he used to make combs. What kind of food Mark Karpeles likes, or what he chooses to sit on or print, may not seem immediately relevant to the matter of multi-million dollar cyber theft, but according to those who know him, it may not be all that unrelated to it, either. “Aside from the [Bitcoin] cafe, he liked to spend time fixing servers,” one former colleague told Wired magazine, “setting up networks and installing gadgets…probably distracting himself from dealing with the real issues that the company was up against.” In the final months of his company’s existence, Mark took time off to build software for keeping track of Bitcoin Cafe’s sales. It was this unphased yet distracted approach to CEO-ing which some took issue with as his company, Mt. Gox, began to crumble in early 2014. But the story of Mt. Gox’s fall began even before Mark entered the picture.
There was a time when Mark felt as strongly about Bitcoin as he did savoury open flans. Born in a suburb of the French city of Dijon, Karpeles studied in France before moving briefly to Israel, then back to France, and ultimately to Tokyo in 2009. An appreciation for Japanese culture wasn’t the only draw for him, though. Japan was, and still is, the world’s foremost hub for cryptocurrency. Many of the field’s foremost properties originate there. There’s even a J-Pop group called the “Virtual Currency Girls”. If you want to make it in crypto, Tokyo is a good place to start. And, ever since he got his first taste of it, Mark wanted to make it in crypto. Mark first became aware of crypto as a programmer, when a client paid him for a web domain in Bitcoin. Not long after, he would find his perfect entry into the market.
The Origins of Mt. Gox
Please keep all this confidential I don’t want to start a panic and I’m not sure I’ll do it yet but I’m thinking I might try to sell mtgox. I just have these other projects I would like to devote more time to. Would you be interested? It could be very little up front and just a payout based on revenue or something. There is also an investment group that wants to fund mtgox. Probably around $158k. So you could most likely take it over with some cash.
Let me know
Mark Karpeles has been described as a “super geek”, but if it were a competition, Jed McCaleb might just beat him to the title. McCaleb is the one who first bought the domain mtgox.com. If you originally assumed Mt. Gox got named after some sort of mountain somewhere in the world, you’d be wrong. “Mount Gox” is how it came to be known, but originally, this was an acronym–not for cryptocurrency, but for a card game. The game is Magic: The Gathering, hence M-T-G-O-X, or Magic: The Gathering Online Exchange. The original intent of the site was to be a place where players could trade their online cards with one another, like a nerd stock market.
It took Jed a couple of years to realize that trading cards wasn’t really worth his time. It had only been a few months, but not many people were using the service, and Jed wasn’t terribly invested in building it up, either. By 2010, he’d entirely rehauled the site–keeping the domain name, but replacing all its source code–and transforming his venture into an early cryptocurrency exchange, where users could trade Bitcoin in exchange for U.S. dollars.
Mt. Gox rose rapidly in the months following its brand shift. There weren’t really good ways to exchange fiat currencies for cryptocurrencies in 2010, so the market was ripe for the taking. Evidently, though, as more and more customers started transferring larger- and larger-figure sums, Jed decided the work was not for him. Mark Karpeles just happened to be lucky enough to know Jed at the time, with the means and motivation to adopt the site from his friend. The two struck a deal on February 3rd of 2011, leaving Jed a minority owner and Karpeles the project’s CEO. The site was officially handed over the next month.
Among other details, there was one clause within their contract that might catch your eye. It read: “the Seller is uncertain if mtgox.com is compliant or not with any applicable U.S. code or statute, or law of any country. [. . .] The buyer agrees to indemnify Seller against any legal action that is taken against Buyer or Seller with regards to mtgox.com or anything acquired under this agreement.” It was a strange sentiment to disclose in a sale–that the outgoing CEO didn’t know whether his company was operating legally or not. It probably didn’t seem all that important at the time–the cryptocurrency market was so new, that all kinds of rules and regulations about its operation had yet to be written. Mark Karpeles, for one, seemed to take little note of it. He would’ve been prudent to pay more attention at the time.
Clause or no clause, not two years after that deal was struck would Mt. Gox become the most sought-after cryptocurrency exchange, handling 80 percent of all Bitcoin transactions worldwide, establishing itself as the default location for new Bitcoin investors, and lending its CEO fame and fortune.
One of the many Bitcoin investors who where drawn to the successful exchange was Kolin Burgess. Kolin explains, this story was told and whispered in forums and online discussions – but was far from being common knowledge.
It was June 20th, 2011 in Japan, at around 5:00 in the morning, when Jed McCaleb’s original administrator account within Mt. Gox’s systems became compromised. Using the stolen credentials of the former CEO, a hacker entered Mt. Gox’s internal systems and, in a single fell swoop, managed to artificially alter the nominal price of Bitcoin on the platform, from around 17 dollars to just one cent. The market crashed. At this pleasantly discounted price, the hacker proceeded to siphon 2,000 Bitcoin from Mt. Gox customer accounts, then sell them off afterwards at their regular value.
This hacker would never be caught. The company wouldn’t end up recovering those funds, nor would the customers whose money was leaked. The story made headline news around the crypto world.
But the real winner of that early Mt. Gox hack wasn’t even necessarily the hacker. You see: while the hacker was doing their business, and some Mt. Gox customers were being robbed, other Mt. Gox customers got quite, accidentally, lucky. Those who happened to be on the site, purchasing coin in those very moments, couldn’t have known about the major price change beforehand. Some of them, maybe, didn’t even understand what was going on in those moments. Either way, an estimated 650 Bitcoin were purchased by ordinary investors during the small window in which the coin’s price on the site had been set to one cent. Those customers left happy–or, maybe, angry with themselves for not having bought more while they had the chance. None of those purchases were ever returned to the site.
But then there were a series of other early Mt. Gox hacks–ones which didn’t make front page news, but caused serious financial and security troubles for the company. Kim Nilsson is a former Mt. Gox user–a Swedish computer scientist who would go on to lead an independent investigation into the company’s troubled history. His work, alongside that of other media outlets and law enforcement agencies, would reveal years after the fact that, in fact, Mt. Gox had experienced a whole slew of other hacks occurring in that same 2011 calendar year. On May 22nd, for example, somebody noticed an unsecured network key used by the platform–in other words, a vault without a lock. They waltzed right in and took 300,000 Bitcoin. Luckily for Mt. Gox, this wasn’t a premeditated attack by a motivated malicious agent. For that reason, and because the hack had left a trail of such easily traceable clues, the person who came into possession of the coin reached out to Mark Karpeles and offered to return the money, on the condition that there would be no investigative or legal action taken against him. One other lucky break for the company: Bitcoin was trading at only a couple of bucks by May 2011. In contrast: 300,000 Bitcoin in early 2018 would’ve translated to billions and billions of dollars.
Then in September, a more sophisticated attack struck when one or more hackers successfully compromised a Mt. Gox database, giving themselves significant administrative authority within the company’s internal networks, including read-write access to that database. They used those authorities to inflate their own account balances and then withdraw those artificially manipulated funds. This malicious agent, being more adept than some of Mt. Gox’s other hackers, had the foresight and ability to delete most of the trail of evidence connecting them to the crime, and came out with an estimated 77,500 Bitcoin in total. The following month, a hacker managed to trick the platform into thinking that coin they were stealing was in fact deposits being made by the platform itself to him.
The hacks I’ve described thus far are merely a few in a list of more than half a dozen major hacks that Mt. Gox experienced in 2011 alone. Those remaining hacks I haven’t yet mentioned will become especially relevant later in the story, so we’ll hold off on them for now.
Problems Manifesting In Mt. Gox
If anything, the June 2011 hack of Jed McCaleb’s admin account is what shook Mt. Gox HQ more than any of the others–not necessarily because of the losses, but the bad press. In response to it, the company instituted a suite of new security measures. Among them, a substantial amount of the currency Mt. Gox handled was moved into offline storage. The move was meant to create a sort of safety net–a pool of funds that couldn’t be touched by a hacker moving through their online network. The consequences of this move, it would turn out, would be far greater.
More on that later.
These 2011 hacks were like pimples on the face of the company: ugly, but little more than temporary problems. Underneath the surface, however, there were more, even greater problems at hand. As the company became the face of Bitcoin, it was slowly developing, well, how do I put it…
You know those pimples that haven’t surfaced yet? They’re big, and very uncomfortable, but they’re still entirely beneath the skin. You can’t deal with them at this stage. They just sort of sit there, waiting–a painful reminder of an imminent problem. Like an early teenager, Mt. Gox had lots of those kinds of beneath-the-skin pimples. Most of their dermatological issues rooted in Mark Karpeles’ enigmatic style of business. Enigmatic, like: not reporting half a dozen hacks of your company, leading to major financial losses, to the proper authorities. Enigmatic like choosing to buy out Bitomat: a small Polish Bitcoin exchange founded on April 4th of 2011. Three months after Bitomat was founded, they accidentally deleted all of their platform’s private keys. Private keys are what’s required to access a Bitcoin wallet, where currency is stored. That means Bitomat lost access to all the money under their control, around 17,000 Bitcoin in total. So Bitomat was like a bank that forgot the 4-digit combo to its safe. Where many saw incompetence, however, Mark Karpeles saw a potential business partnership. Seeking a subsidiary to help his company expand into Europe, Mark bought Bitomat one month after their public embarrassment, when the company put itself up for sale in order to cover for its losses. Some questioned whether acquiring a failed company, and its tens of thousands of dollars-worth of debt, right when Mt. Gox itself was losing money every month to a new data breach, was the best use of company funds.
And then there were problems manifesting within the walls of Mt. Gox’s Japanese headquarters. Engineers noted that the development team used no form of version control software. Version control, in software development, is how engineers keep track of changes to their code, address bugs, and coordinate across teams. It’s standard, almost unquestioned, practice in the field. Without such a protocol, two separate Mt. Gox engineers might alter, overwrite or delete each other’s code without realizing it in advance. And only years into their operation did the company’s software team start testing their code before publication. So for the first couple years of its existence, the site had been populated with entirely untested code.
Software issues, alongside some serious accounting errors, led to significant financial losses for the company over its lifespan. During the month of October 2011, a whole 44,300 Bitcoin was incorrectly distributed to 48 user accounts. While a portion of that money ended up being retrieved, most of the beneficiaries of the company’s errors weren’t so keen on returning their free money, and so 30,000 coins would remain lost to its rightful owners. On the 28th of the month, Mark Karpeles himself shifted to using a new wallet software. The software had a bug in it, which ultimately caused 2,609 Bitcoin to be sent to a broken key, rendering it irretrievable.
The DHS Gets Involved
For two years, Mt. Gox was imploding from the inside and soaring to unprecedented success on the outside. The cracks in the wall started to publicly manifest only as late as 2013, when their business in the United States fell under scrutiny. Earlier that year, Gox agreed to hand its American operation over to a firm called Coinlab. But then they just…didn’t. So in May, Coinlab sued Mt. Gox to the tune of 75 million dollars, claiming breach of contract.
It’s difficult to tell what was more concerning to Mark Karpeles: a 75 million dollar lawsuit, or the moment, that same month, when the United States Department of Homeland Security issued a warrant to seize his company’s U.S.-based funds. Remember that strange stipulation in the contract that issued Mt. Gox to Karpeles in 2011? “The Seller is uncertain if mtgox.com is compliant or not with any applicable U.S. code or statute, or law of any country.” This is where that stipulation comes back around to haunt him.
Immigration and Customs Enforcement–an investigative arm of the DHS–found that the U.S. subsidiary of Mt. Gox–named Mutum Sigillum LLC–had been operating without license from the U.S. Financial Crimes Enforcement Network, rendering the exchange an unregistered money transmitter. As part of the US DHS investigation it was revealed that, in order to accept U.S. dollars from American customers, Karpeles had registered a company bank account with Wells Fargo on May 20th, 2011. As part of the application Karpeles had to fill out in order to activate the account, there were two questions of particular interest to investigators: first, “Do you deal in or exchange currency for your customer?” and second, “Does your business accept funds from customers and send the funds based on customers’ instructions (Money Transmitter)?” As a currency exchange, you’d expect both of those questions to be met with a resounding “yes”. For whatever reason, Karpeles checked the box for “No” next to both.
Bitcoin, in this early stage of its existence, had a reputation as being a preferred means of money transfer for drug dealers and other criminals. It may be that the DHS’ interest in Mutum Sigillum was rooted in that reputation, and Mark’s apparent disregard for rules and regulations raised red flags. The U.S. government seized a total of five million dollars from Mt. Gox’s bank accounts. As a result, the exchange instituted a month-long ban on U.S. dollars, and lost access to the third party e-commerce platform it used for American money exchanges. Customers began seeing delays in their money withdrawals that lasted, in some cases, for months on end when, in response to their financial and legal perils, Mt. Gox’s Japanese bank, which just one month earlier was processing a reported 300,000 to one million dollars for them every day, now limited their service to just ten transactions a day.
Mark Karpeles, in the middle of all this, was facing up to five years in jail for his crimes.
By the end of 2013, Mt. Gox had experienced half a dozen hacks, systematic corporate mismanagement, a multi-million dollar lawsuit and a U.S. government investigation. The company was once synonymous with all things Bitcoin trading. Now, because of its near halt on transaction throughput, it fell to being the third most popular cryptocurrency exchange worldwide, behind Russia-based BTC-e, and Slovenia-based Bitstamp. But hey, third place, for a company like that? Not bad, if you ask me.
Except none of this is the reason why Mt. Gox is so notorious today in the history of cryptocurrency. The company was battered, beaten and yet remained standing, even excelling, through its tumultuous first three years of operation.
Mark and his coworkers had about two months to enjoy it, before everything would come crumbling down.
Back when Mt. Gox got hacked in June of 2011, the whole company–in a sense, the whole Bitcoin community–went into panic mode. Engineers at the company worked day and night to get the exchange back up and running, after it shut down. Some Bitcoin enthusiasts in the Tokyo area were enlisted as mercenaries, sitting alongside the team to fix what was broken. Here was a small army of programmers working on the site, fielding calls from concerned customers, and generally doing anything possible to try and patch the holes in the ship. One investor and friend to the company, Jesse Powell, flew into Japan from San Francisco just to sit in the trenches and help. He went straight from the airport to the company’s offices, without even bothering to drop off his bags in a hotel. In an interview with Wired Magazine he revealed that, at one point, he’d went and bought 5,000 dollars worth of computers just to add firepower to the cause.
But Mark Karpeles, I said earlier, is something of an enigma. It’s one of the only adjectives you can use, in making sense of what he decided to do during the period of time when his company was on its first brink of failure. A hacker by trade, CEO by circumstance, Mark was right in the thick of that recovery effort, as you’d imagine. By Friday night of that week the site remained offline, so all the volunteers and employees of the company agreed to come in to work over the weekend. Except on Saturday, the team discovered that Mark was a no-show. Think about that: volunteers were giving up their time to help the company, and its CEO was nowhere to be found. When Mark did return on Monday, he spent much of the day on tasks unrelated to the shutdown.
Mark’s behavior that week left his team thoroughly demoralized. Jesse Powell, for one, learned some valuable lessons from the experience. “It was clear after that hack at Mt. Gox,” he told Bloomberg News years afterward, “that the exchange is really the most critical piece of the ecosystem…”. Jesse went on to found his own cryptocurrency exchange, Kraken, not one month after being inside the halls at Mt. Gox. He told Bloomberg “I wanted there to be another one to take its place, if Mt. Gox failed.” In other words: “This company is a nightmare, and I want to be the one making the money when it finally does croak.” Ironically enough, after Jesse’s prediction did end up coming true, his company worked side-by-side with government bodies in the investigation into why it happened.
Unfortunately for many, Mark Karpeles himself didn’t take away any of the valuable lessons to be had from his company’s first publicized hack. It would come back to haunt him the second time around. When Mt. Gox began showing signs of serious problems in early 2014, you’d imagine Jesse Powell was sitting in his living room, or at his desk somewhere, looking over articles and online forums, knowing something the rest of us didn’t.
It all started with that U.S. government investigation, and the decision from their Japanese bank to severely limit transaction throughput. As requests to withdraw money piled up to no end in mid-to-late 2013, Bitcoin investors nervously wondered what was going on behind closed doors.
The Fall Of Mt. Gox
On February 7th, 2014, the Mt. Gox exchange issued a moratorium on all withdrawals. Their reasoning was (and I quote): “to obtain a clear technical view of the currency process.” If you’re not sure what that means, that’s because it basically means nothing. Three days later, the company issued an official press release on the matter, citing a software bug that had previously caused issues for some other exchanges.
A known patch had already existed for the Bitcoin software bug Mt. Gox referenced in their February 10 press release, so as the days went on and the moratorium remained, the financial status of the site became a more and more present concern for customers with their money locked away. Investors were already speculating about the company’s solvency. A poll published by CoinDesk, one week after Mt. Gox set that full pause on withdrawals, found that 68 percent of Mt. Gox users were waiting on money withdrawals, with 21 percent of users having been waiting over three months.
By the 20th of the month the price of Bitcoin on the site plummeted below half of its value just weeks before. Protests started to form outside Mt. Gox’s Tokyo offices, causing the company to move temporarily due to “security concerns”. One of the protestors was Kolin Burgess whom we heard back in the beginning of the episode. Kolin says he and his fellow investors were already suspicious that Mt. Gox was far from being honest with them.
On Feburary 24th, mtgox.com went dark. Mark and his company gave vague explanations for the shutdown to press, but an internal document which leaked just hours later told the real story…
Mt. Gox had been hacked, for all it was worth. Of the hundreds of thousands of Bitcoin the site managed as of the beginning of 2014, it now had possession over, well, just about none of it. The company declared bankruptcy on February 28th.
The Hack That Killed Mt. Gox
When we use the word “hack” to describe what bankrupted Mt. Gox, you may have a slightly imperfect picture in your head about what that means. Usually when we talk about hacks on Malicious Life, we’re talking about events. The digital equivalent of breaking into a bank vault, corporate headquarters or a person’s home. The Mt. Gox hack of February 2014 wasn’t like breaking into a bank vault. It was more like digging a hole at the bottom of a bank vault, and building a tunnel from that hole directly into your pocket. Then, over the next three years, you get a little bit richer every time the bank’s employees toss more cash unknowingly down the tube.
You see, every Bitcoin account possesses two categories of identification: a public key and a private key. Broadly speaking, your public key is like your Bitcoin username, and your private key is your password. These are long, complicated, auto-generated strings of information that you yourself won’t keep track of, but they’re how you’ll interact with your money, as well as other users in the network. The Bitcoin ledger, which displays all transactions between all parties over the entire history of the coin, will display your public key in association with any transaction you enact in the system. Your private key is tied to your public key, but known only to your computer system, so as to ensure your sole ownership over your account. Even large organizations like Mt. Gox–digital wallets, which facilitate individual users’ network activity–have their own private keys, saved in “wallet.dat” files.
By 2011, you’ll remember, cryptocurrency is only a two-year-old concept. A lot of kinks have yet to be worked out. One of those kinks just happened to be that private keys were not, by default, encrypted. If you didn’t manually encrypt your data, and someone could get hold of or hack into your computer system, they could simply take your private key for themselves.
In hindsight, this kind of security vulnerability seems glaringly obvious. But Bitcoin wasn’t worth nearly then what it is now. Predicting risk isn’t always an easy task in cyber security. Bitcoin wasn’t worth hacking until it became valuable, and in its earliest days, getting the system to work in the first place, and getting investors to buy into the concept, probably took first place over security in most people’s minds.
On September 23rd, 2011, as part of the Bitcoin version 0.4.0 network update, the platform’s Core Wallet did implement automatic, password- and pin-protected encryption. If that update could’ve come just weeks, even days earlier, it might have stopped the malicious agent who somehow, some way, managed to copy the wallet.dat file associated with the Mt. Gox exchange. But alas, history had other plans for Bitcoin and its constituents. By that time in 2011, we already know now, the company had been hit with at least half a dozen other cyber attacks. This one, though? This one was different. The copied wallet.dat file did, naturally, include all the private information the Mt. Gox company had stored. With everybody’s private access codes, this hacker now had free reign to funnel money at will, all while appearing to the system like legitimate transactions between account holders.
Most malicious agents, with this kind of power, would simply drain all of the money under Mt. Gox’s name and run with it. This hacker totally could have done that. But they were too smart to be baited. Stealing so much coin at once could seriously jeopardize the market, causing the very stolen coin to become heavily devalued. Mt. Gox would probably go under, or at least catch on and secure their systems, meaning the free money tunnel would be cut off. So, rather than take the company for all it was worth at once, this hacker initiated a longer-term plan. Over the next two years, this hacker slowly but surely siphoned money out from Mt. Gox, without anyone being the wiser.
What that means is that while Mt. Gox was soaring to becoming the face of the cryptocurrency market, while individuals at the cutting edge of technology and finance were learning about, getting excited about, and buying into this new form of investment, propping Bitcoin up from a cheap utopian concept into a veritable worldwide phenomenon, a whole seven percent of all Bitcoin in existence was slowly, methodically, making its way into the hands of an attacker.
An incompetent CEO, or a mastermind thief?
In an already premature market, the decline of Mt. Gox threatened the very existence of Bitcoin and all its proponents. The price of the coin dropped over 20 percent in the month of March 2014, following Mt. Gox’s bankruptcy filings. Sensing a frenzy among investors and a declining reputation in the rest of the world, CEOs and founders of six of the largest other Bitcoin exchanges–not least Jesse Powell of Kraken, formerly a friend and ally to Mark Karpeles and his company–published a joint statement condemning Mt. Gox and its business practices, using words like “tragic” and “trust squandered”, and pledging to create a more secure, transparent future for the industry.
While investors decried the loss of their money to Mt. Gox, and fought to make Hell about it, few people can claim to have as bad a month as Mark Karpeles did. The day before his entire company shuttered, he resigned from his post as co-founder of the Bitcoin Foundation–the highest organization tasked with oversight of the Bitcoin network. Protests continued outside his company’s Tokyo offices, and Karpeles was now receiving waves of hate mail and death threats every day, as well as lawsuits. One class action suit was filed in order to prevent him from moving any money overseas. Why? Because many people suspected that Mark Karpeles was his own company’s hacker.
With no other scapegoat quite so fitting, Mark Karpeles had become, in the span of just a few weeks, the unquestioningly most hated man in Bitcoin. But why would he put his own company out of business? Was this man a negligent, incompetent CEO, or a devious, mastermind thief? Find out next time, on Malicious Life.